build-push-action: SBOM cant access path `/run/src/core/sbom/proc/mounts`
Contributing guidelines
- I’ve read the contributing guidelines and wholeheartedly agree
I’ve found a bug, and:
- The documentation does not mention anything about my problem
- There are no open or closed issues that are related to my problem
Description
When using the below config in my Docker build for the workflow, I get the below error
Error
#14 [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1
#14 0.205 time="2023-09-26T10:37:08Z" level=info msg="starting syft scanner for buildkit v1.2.0"
#14 0.236 [0000] WARN unable to access path="/run/src/core/sbom/proc/mounts": lstat /run/src/core/sbom/proc/mounts: no such file or directory
#14 DONE 0.5s
Expected behaviour
Docker builds the image, generates the SBOM and then pushes the image with the attached SBOM data in the manifest for the container
Actual behaviour
SBOM would be generated and no error would be found
Repository URL
No response
Workflow run URL
No response
YAML workflow
- name: Build
uses: docker/build-push-action@v5
with:
push: true
context: ./
file: Dockerfile
provenance: mode=max
sbom: true
tags: |
europe-west2-docker.pkg.dev/redacted/${{ inputs.repository }}/${{ inputs.image}}:${{steps.tag.outputs.sha}}
europe-west2-docker.pkg.dev/redacted/${{ inputs.repository }}/${{ inputs.image}}:${{steps.tag.outputs.ref}}
europe-west2-docker.pkg.dev/redacted/${{ inputs.repository }}/${{ inputs.image}}:${{steps.tag.outputs.ref}}-${{steps.tag.outputs.sha}}
europe-west2-docker.pkg.dev/redacted/${{ inputs.repository }}/${{ inputs.image}}:dev
europe-west2-docker.pkg.dev/redacted/${{ inputs.repository }}/${{ inputs.image}}:latest
Workflow logs
/usr/bin/docker buildx build --file containers/kubectl//Dockerfile --iidfile /tmp/docker-actions-toolkit-AdZkCo/iidfile --provenance mode=max,builder-id=https://github.com/redacted/redacted/actions/runs/6311325738 --sbom true --tag europe-west2-docker.pkg.dev/redacted/redacted/kubectl:679d795 --tag europe-west2-docker.pkg.dev/redacted/redacted/kubectl:redacted-SBOM --tag europe-west2-docker.pkg.dev/redacted/redacted/kubectl:redacted-SBOM-679d795 --tag europe-west2-docker.pkg.dev/redacted/redacted/kubectl:dev --tag europe-west2-docker.pkg.dev/redacted/redacted/kubectl:latest --metadata-file /tmp/docker-actions-toolkit-AdZkCo/metadata-file --push containers/kubectl/
#0 building with "default" instance using docker driver
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 1.10kB done
#2 DONE 0.0s
#3 [auth] docker/buildkit-syft-scanner:pull token for registry-1.docker.io
#3 DONE 0.0s
#4 resolve image config for docker.io/docker/buildkit-syft-scanner:stable-1
#4 DONE 0.3s
#5 [internal] load metadata for europe-west2-docker.pkg.dev/redacted/containers/alpine:3.18.2
#5 ...
#6 [auth] redacted/containers/alpine:pull token for europe-west2-docker.pkg.dev
#6 DONE 0.0s
#5 [internal] load metadata for europe-west2-docker.pkg.dev/redacted/containers/alpine:3.18.2
#5 DONE 2.5s
#7 [1/6] FROM europe-west2-docker.pkg.dev/redacted/containers/alpine:3.18.2@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1
#7 resolve europe-west2-docker.pkg.dev/redacted/containers/alpine:3.18.2@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 done
#7 sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 1.64kB / 1.64kB done
#7 sha256:25fad2a32ad1f6f510e528448ae1ec69a28ef81916a004d3629874104f8a7f70 528B / 528B done
#7 sha256:c1aabb73d2339c5ebaa3681de2e9d9c18d57485045a4e311d9f8004bec208d67 1.47kB / 1.47kB done
#7 sha256:31e352740f534f9ad170f75378a84fe453d6156e40700b882d737a8f4a6988a3 0B / 3.40MB 0.1s
#7 ...
#8 docker-image://docker.io/docker/buildkit-syft-scanner:stable-1
#8 resolve docker.io/docker/buildkit-syft-scanner:stable-1 0.1s done
#8 sha256:ee374bcc416fd776e1e29831481c2bb5cd0616652104cd902baa0d111208d683 4.64kB / 4.64kB done
#8 sha256:13b7d9e2a3623dbe727045830d6d015168b26c7647c0419448309084fb03ebd4 482B / 482B done
#8 sha256:c3c9e7ab62e4e34629be521735d3e3af40a5545882030ac4c324d4821aa7629c 2.29kB / 2.29kB done
#8 sha256:5ad95de4207de923f82a2517ca654b09c9c8251fb7eb25242442a368d631c89d 21.07MB / 21.07MB 0.2s done
#8 extracting sha256:5ad95de4207de923f82a2517ca654b09c9c8251fb7eb25242442a368d631c89d 0.3s done
#8 DONE 0.6s
#7 [1/6] FROM europe-west2-docker.pkg.dev/redacted/containers/alpine:3.18.2@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1
#7 extracting sha256:31e352740f534f9ad170f75378a84fe453d6156e40700b882d737a8f4a6988a3
#7 sha256:31e352740f534f9ad170f75378a84fe453d6156e40700b882d737a8f4a6988a3 3.40MB / 3.40MB 1.1s done
#7 extracting sha256:31e352740f534f9ad170f75378a84fe453d6156e40700b882d737a8f4a6988a3 0.1s done
#7 DONE 1.2s
#9 [2/6] RUN apk add curl
#9 0.216 fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
#9 0.327 fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
#9 0.586 (1/7) Installing ca-certificates (20230506-r0)
#9 0.601 (2/7) Installing brotli-libs (1.0.9-r14)
#9 0.612 (3/7) Installing libunistring (1.1-r1)
#9 0.627 (4/7) Installing libidn2 (2.3.4-r1)
#9 0.631 (5/7) Installing nghttp2-libs (1.55.1-r0)
#9 0.634 (6/7) Installing libcurl (8.3.0-r0)
#9 0.642 (7/7) Installing curl (8.3.0-r0)
#9 0.646 Executing busybox-1.36.1-r0.trigger
#9 0.650 Executing ca-certificates-20230506-r0.trigger
#9 0.690 OK: 12 MiB in 22 packages
#9 DONE 0.9s
#10 [3/6] RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
#10 0.393 % Total % Received % Xferd Average Speed Time Time Time Current
#10 0.393 Dload Upload Total Spent Left Speed
#10 0.393
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 138 100 138 0 0 2029 0 --:--:-- --:--:-- --:--:-- 2059
#10 0.630
100 47.5M 100 47.5M 0 0 200M 0 --:--:-- --:--:-- --:--:-- 200M
#10 DONE 0.7s
#11 [4/6] RUN rm -rf /var/cache/apk/*
#11 DONE 0.3s
#12 [5/6] RUN install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
#12 DONE 0.5s
#13 [6/6] RUN rm /kubectl
#13 DONE 0.3s
#14 [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1
#14 0.205 time="2023-09-26T10:37:08Z" level=info msg="starting syft scanner for buildkit v1.2.0"
#14 0.236 [0000] WARN unable to access path="/run/src/core/sbom/proc/mounts": lstat /run/src/core/sbom/proc/mounts: no such file or directory
#14 DONE 0.5s
#15 exporting to image
#15 exporting layers
#15 exporting layers 0.9s done
#15 writing image sha256:aa6c5b0566b9b29d4009c36cf67e937d1df5a5969b7f6a384f3f12dbc5f18b2d done
#15 naming to europe-west2-docker.pkg.dev/redacted/redacted/kubectl:679d795 done
#15 naming to europe-west2-docker.pkg.dev/redacted/redacted/kubectl:redacted-SBOM done
#15 naming to europe-west2-docker.pkg.dev/redacted/redacted/kubectl:redacted-SBOM-679d795 done
#15 naming to europe-west2-docker.pkg.dev/redacted/redacted/kubectl:dev done
#15 naming to europe-west2-docker.pkg.dev/redacted/redacted/kubectl:latest done
#15 DONE 0.9s
#16 pushing europe-west2-docker.pkg.dev/redacted/redacted/kubectl:679d795 with docker
#16 pushing layer 2cca9b1cf126
#16 pushing layer befc486b4ee2
#16 pushing layer f17c29510b58
#16 pushing layer a976f4c9d4fb
#16 pushing layer b7a145b77dd7
#16 pushing layer 78a822fe2a2d 0.0s
#16 pushing layer b7a145b77dd7 2.29MB / 6.05MB 0.4s
#16 pushing layer b7a145b77dd7 4.85MB / 6.05MB 0.5s
#16 pushing layer b7a145b77dd7 6.33MB / 6.05MB 0.6s
#16 pushing layer befc486b4ee2 2.62MB / 49.86MB 0.8s
#16 pushing layer a976f4c9d4fb 4.72MB / 49.86MB 0.9s
#16 pushing layer a976f4c9d4fb 7.34MB / 49.86MB 1.1s
#16 pushing layer befc486b4ee2 7.34MB / 49.86MB 1.1s
#16 pushing layer a976f4c9d4fb 9.96MB / 49.86MB 1.2s
#16 pushing layer befc486b4ee2 9.96MB / 49.86MB 1.2s
#16 pushing layer a976f4c9d4fb 12.58MB / 49.86MB 1.3s
#16 pushing layer befc486b4ee2 12.58MB / 49.86MB 1.4s
#16 pushing layer a976f4c9d4fb 15.20MB / 49.86MB 1.5s
#16 pushing layer befc486b4ee2 15.21MB / 49.86MB 1.5s
#16 pushing layer a976f4c9d4fb 19.40MB / 49.86MB 1.7s
#16 pushing layer befc486b4ee2 19.40MB / 49.86MB 1.7s
#16 pushing layer a976f4c9d4fb 22.02MB / 49.86MB 1.8s
#16 pushing layer befc486b4ee2 22.02MB / 49.86MB 1.9s
#16 pushing layer a976f4c9d4fb 25.69MB / 49.86MB 2.1s
#16 pushing layer befc486b4ee2 25.69MB / 49.86MB 2.2s
#16 pushing layer 2cca9b1cf126 2.1s done
#16 pushing layer a976f4c9d4fb 29.88MB / 49.86MB 2.4s
#16 pushing layer befc486b4ee2 30.41MB / 49.86MB 2.4s
#16 pushing layer a976f4c9d4fb 32.51MB / 49.86MB 2.5s
#16 pushing layer befc486b4ee2 33.03MB / 49.86MB 2.6s
#16 pushing layer befc486b4ee2 40.37MB / 49.86MB 2.8s
#16 pushing layer a976f4c9d4fb 39.85MB / 49.86MB 2.8s
#16 pushing layer befc486b4ee2 42.99MB / 49.86MB 2.9s
#16 pushing layer a976f4c9d4fb 42.47MB / 49.86MB 2.9s
#16 pushing layer befc486b4ee2 45.62MB / 49.86MB 3.1s
#16 pushing layer f17c29510b58 2.8s done
#16 pushing layer a976f4c9d4fb 48.24MB / 49.86MB 3.1s
#16 pushing layer befc486b4ee2 49.87MB / 49.86MB 3.3s
#16 pushing layer b7a145b77dd7 3.1s done
#16 pushing layer a976f4c9d4fb 4.6s done
#16 pushing layer befc486b4ee2 4.8s done
#16 pushing layer 78a822fe2a2d 6.6s done
#16 DONE 6.7s
#17 pushing europe-west2-docker.pkg.dev/redacted/redacted/kubectl:redacted-SBOM with docker
#17 pushing layer 2cca9b1cf126 0.6s
#17 pushing layer 2cca9b1cf126 1.3s done
#17 pushing layer befc486b4ee2 1.3s done
#17 pushing layer f17c29510b58 1.3s done
#17 pushing layer a976f4c9d4fb 1.3s done
#17 pushing layer b7a145b77dd7 1.3s done
#17 pushing layer 78a822fe2a2d 1.3s done
#17 DONE 1.3s
#18 pushing europe-west2-docker.pkg.dev/redacted/redacted/kubectl:redacted-SBOM-679d795 with docker
#18 pushing layer befc486b4ee2 1.8s done
#18 pushing layer 2cca9b1cf126 1.8s done
#18 pushing layer f17c29510b58 1.8s done
#18 pushing layer a976f4c9d4fb 1.8s done
#18 pushing layer b7a145b77dd7 1.8s done
#18 pushing layer 78a822fe2a2d 1.8s done
#18 DONE 1.8s
#19 pushing europe-west2-docker.pkg.dev/redacted/redacted/kubectl:dev with docker
#19 pushing layer 2cca9b1cf126 1.4s done
#19 pushing layer befc486b4ee2 1.4s done
#19 pushing layer f17c29510b58 1.4s done
#19 pushing layer a976f4c9d4fb 1.4s done
#19 pushing layer b7a145b77dd7 1.4s done
#19 pushing layer 78a822fe2a2d 1.4s done
#19 DONE 1.5s
#20 pushing europe-west2-docker.pkg.dev/redacted/redacted/kubectl:latest with docker
#20 pushing layer 2cca9b1cf126 1.4s done
#20 pushing layer befc486b4ee2 1.4s done
#20 pushing layer f17c29510b58 1.4s done
#20 pushing layer a976f4c9d4fb 1.4s done
#20 pushing layer b7a145b77dd7 1.4s done
#20 pushing layer 78a822fe2a2d 1.4s done
BuildKit logs
/usr/bin/docker buildx version
github.com/docker/buildx v0.11.2 9872040
Additional info
/usr/bin/docker version
Client: Docker Engine - Community
Version: 24.0.6
API version: 1.43
Go version: go1.20.7
Git commit: ed223bc
Built: Mon Sep 4 12:31:44 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.6
API version: 1.43 (minimum version 1.12)
Go version: go1.20.7
Git commit: 1a79695
Built: Mon Sep 4 12:31:44 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.22
GitCommit: 8165feabfdfe38c65b599c4993d227328c231fca
runc:
Version: 1.1.8
GitCommit: v1.1.8-0-g82f18fe
docker-init:
Version: 0.19.0
GitCommit: de40ad0
/usr/bin/docker info
Client: Docker Engine - Community
Version: 24.0.6
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.11.2
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.21.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 17
Server Version: 24.0.6
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
runc version: v1.1.8-0-g82f18fe
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.2.0-1011-azure
Operating System: Ubuntu 22.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 6.76GiB
Name: fv-az400-638
ID: c80a2c29-1ffe-4d20-baa0-434399b837a0
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: githubactions
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
About this issue
- Original URL
- State: closed
- Created 9 months ago
- Comments: 18 (9 by maintainers)
@elsmorian We have updated our docs related to the inspect format (https://github.com/docker/buildx/pull/2122), see https://docs.docker.com/engine/reference/commandline/buildx_imagetools_inspect/.
To output the SBOM use:
Also added extra jobs in our workflow to check this behavior: https://github.com/docker/build-push-action/pull/1005. See for example https://github.com/docker/build-push-action/actions/runs/6942189435/job/18884628164#step:6:1
I don’t see any usage of the build-push-action in this workflow.
I’m not quite sure about this warning. As @jedevc said it’s not expected.
@deitch I just released an RC of the buildkit syft scanner image: https://github.com/docker/buildkit-syft-scanner/releases/tag/v1.3.0-rc.1
Can you try with:
--attest type=sbom,generator=docker/buildkit-syft-scanner:1.3.0-rc.1With build-push-action: